Social engineering fraud and business email compromises are costing businesses millions and leaders their jobs.
There’s no patch for human stupidity, the saying goes. That’s unkind, and in many cases unfair. But it does convey a central truth: No matter how good your IT security is, people are always a potential weak spot.
In May, Austrian aerospace manufacturer FACC fired its chief executive following a fraud that cost the company €42 million. Walter Stephan had fallen for a hoax email requesting a money transfer to an account for a fake acquisition project. The fraud was significant enough to mean the company reported an operating loss of €23.4 million euros for its 2015/16 financial results published the same month, against a loss of only €4.5 million the year before
A statement for the company said: “The supervisory board came to the conclusion that Walter Stephan has severely violated his duties, in particular in relation to the ‘fake president’ incident.”
$1.2 billion of email fraud
Mr Stephan is far from alone, though. Belgian Bank Crelan lost even more when it fell for a similar scam earlier this year. The fraudsters there made off with €75 million – enough to prompt a statement from the bank reassuring investors the “intrinsic profitability of the bank remains intact”.
According to the FBI, such scams cost businesses worldwide $1.2 billion in 2015. That figure includes a range of frauds but usually it begins with compromising or impersonating an email account from someone within the organisation. This is used to make a request for a transfer as a matter of urgency for some invented project or purchase. The account details given are actually those of the scammer.
A number of factors make these attacks so dangerous.
First, they can be surprisingly convincing. It’s not just the technologically illiterate who are vulnerable. The CFO of Internet security firm Malwarebytes, for instance, fell for a fake president scam, its CEO recently admitted. He got as far as uploading a wire of $52,000 before the company’s internal processes, which require a two-step validation for payments, caught it.
Cyber or just fraud? Don’t count on insurance
At the same, they can also be quite simple to put together. In some cases, fraudsters have not even hacked the company’s email; they simply impersonate a senior manager by creating a similar email account. The technological expertise employed may be slight, and the transfer itself relies on the victim. That’s led to some disputes as to whether insurers will pick up the losses.
Finally, though, they’re dangerous because they’re increasingly common. Businesses must expect to be targeted.
To prepare, it’s important to review training, helping educate staff – especially senior managers and those in finance departments – to be aware of the risks. But companies must also look to their processes for approving payments. As Malwarebytes discovered, controls in this area can make the difference between merely red faces, and real red ink on the accounts. Above all, don’t just rely on people – not because they’re stupid, but just because they’re human.